b"                                                                                             1\n\n\n\n\n                                                 Memorandum\n           U.S. Department of\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: Quality Control Review on the                       Date:    April 15, 2011\n           Vulnerability Assessment of FAA's Operational Air\n           Traffic Control System\n           Report Number QC-2011-047\n\n  From:    Louis C. King                                            Reply to\n                                                                    Attn. of:   JA-20\n           Acting Assistant Inspector General for Financial\n            and Information Technology Audits\n\n\n    To:    Federal Aviation Administrator\n\n\n           This report summarizes the results of our information technology vulnerability\n           assessment of the Federal Aviation Administration's (FAA's) operational Air Traffic\n           Control (ATC) systems. This audit was requested by the now-Chairmen of the House\n           Transportation and Infrastructure Committee and the Subcommittee on Aviation.\n\n           FAA has 21 Air Route Traffic Control Centers (ARTCC) geographically dispersed across\n           the United States. These Centers are the major communication hubs for flight plan\n           routing and the systems that provide radar and communication services to aircraft\n           operating above 18,000 feet. ATC systems communicate with one another via the same\n           technology used for Internet communication. Although not all ATC systems can be\n           accessed from the Internet, FAA has designed some support systems residing within its\n           Mission Support/Administrative System Network (MSSN) with accessibility through the\n           Internet.\n\n           This audit assessed ATC systems and networks located at two FAA facilities within the\n           continental United States. Clifton Gunderson LLP of Calverton, Maryland, completed\n           the audit under contract to the Office of Inspector General (OIG). Clifton Gunderson's\n           audit approach included developing and executing steps within OIG-approved Rules of\n           Engagement (ROE). ROE establish guidelines that determine how selected security tests\n           are conducted. OIG staff performed a quality control review of Clifton Gunderson's audit\n\x0c                                                                                                     2\n\n\nwork to ensure that it complied with generally accepted government auditing standards.\nOur review disclosed no instances in which Clifton Gunderson did not comply in all\nmaterial respects with applicable auditing standards. A detailed report was provided to\nFAA but will not be released to the public due to the sensitivity of the information it\ncontains.\n\nThe objective of this audit was to determine whether operational ATC systems can be\naccessed by unauthorized users from inside ATC facilities through FAA\xe2\x80\x99s MSSN.\nClifton Gunderson concluded that they were unable to gain access to FAA's operational\nATC systems. However, they identified the following weaknesses at the ARTCCs:\n1) information disclosure vulnerability; 2) inadequate system patch levels and\nunsupported operating systems; 3) improper network configurations; and\n4) communication system vulnerabilities.\n\n1. Information Disclosure Vulnerability\n\nClifton Gunderson identified an information disclosure vulnerability during testing at one\nARTCC that allowed them to view, without using a password, hundreds of pages of\nsensitive technical information describing network configuration, gateways and other\ndevices. This sensitive information may provide a rogue employee or contractor\nsufficient understanding to identify and exploit weaknesses in the ATC security structure.\n\n2. Patch Management Vulnerabilities on FAA's MSSN\n\nClifton Gunderson's review of MSSN revealed several critical and high risk Common\nVulnerabilities and Exposures (CVE) 1 related to missing or outdated system patches or\nthe running of operating systems no longer supported by their vendors. System patch\nlevels and operating systems that are not kept current not only may result in system\nunavailability, but may also create a risk of exploitation of security holes for access to\nATC systems and data. Any of these systems could be compromised, and allow the\nattacker to use the system to hide his or her identity in order to launch more attacks.\n\n\n\n\n1\n The Mitre Corporation maintains a database of Common Vulnerabilities and Exposures (CVE) and shares it with the\nworld-wide information technology user community at http:cve.mitre.org/about/faqs.html.\n\x0c                                                                                  3\n\n\n3. System Configuration Vulnerabilities on FAA's MSSN\n\nClifton Gunderson's review of MSSN also revealed several critical and high risk CVEs\nrelated to improper system configurations. An attacker could leverage these\nvulnerabilities to gain total control of the systems. Furthermore, the systems could be\nused to compromise other systems that depend on the same network management and\nconfiguration services.\n\n4. Communication System Weaknesses\n\nClifton Gunderson's review identified a communication system at one location that does\nnot require complex passwords and is no longer supported by the vendor. This lack of\nsufficiently complex passwords could lead to an unauthorized manipulation of the\ncommunication system, a total system shutdown, or falsification and impersonation of\nfacility communications.\n\nClifton Gunderson's recommendations to correct these and other control deficiencies\nappear in this report's Exhibit A.\n\nACTIONS REQUIRED\n\nClifton Gunderson provided FAA a draft of the report on February 26, 2011, and received\nFAA's written comments on April 12, 2011. FAA concurred with all audit findings and\nrecommendations, and has agreed to develop plans to implement corrective actions to\nremediate all weaknesses. We request that FAA give us a written response that includes\nspecific action taken or planned for each recommendation and target dates for\ncompletion.\n\nIn accordance with DOT Order 8000.1C, the corrective actions taken in response to\nClifton Gunderson's recommendations are subject to follow-up.\n\nWe appreciate the courtesies and cooperation of Department of Transportation's\nrepresentatives during this audit. If you have any questions concerning this report, please\ncall me at (202) 366-4350, or Nathan Custer, Program Director, at (202) 366-5540.\n\nAttachments\n                                            #\n\x0c                                                                  4\n\n\n\n\ncc:   Chief Information Officer, DOT\n      Chief Operating Officer, ATO\n      Assistant Administrator for Information Services/CIO, FAA\n      Martin Gertel, M-1\n      Anthony Williams, AAE-001\n\x0c                                                                                   5\n\n\nEXHIBIT A. RECOMMENDATIONS OF CLIFTON GUNDERSON, LLP,\nINDEPENDENT AUDITOR\n\nClifton Gunderson LLP made the following recommendations during its\nVulnerability Assessment of FAA's Operational Air Traffic Control System. OIG\nagrees that FAA management should implement these recommendations in order\nto enhance FAA's ATC controls.\n\nInformation disclosure vulnerability\n1.   Restrict access to this site by requiring users to enter ID\xe2\x80\x99s and passwords,\n     after demonstrating a valid business need or justification to access this data.\n\n2.   Review the value of the information available on the site which should be\n     otherwise protected from dissemination.\n\n3.   Review and monitor individual accesses to this information to ensure\n     documents accessible are appropriate based on the level of the user\xe2\x80\x99s need to\n     know.\n\n4.   Monitor (for reasonableness) any distribution or download of any document\n     which provides information otherwise protected from dissemination.\n\nPatch management vulnerabilities on the FAA MSSN\n5.   Apply software patch releases on a timely basis to protect against known\n     vulnerabilities.\n\n6.   Ensure the system\xe2\x80\x99s Authorizing Official (AO) is promptly informed and a\n     risk acceptance is received for any Critical or High vulnerabilities that are\n     not promptly addressed. If the risk acceptance lapses, or the situation\n     changes, the AO should renew the acceptance of the risk to ensure he/she is\n     kept aware of the unmitigated vulnerabilities present on the system.\n\n7.   Upgrade system software and supporting applications to a vendor acceptable\n     supported version.\n\x0c                                                                                6\n\n\nSystem configuration vulnerabilities on MSSN\n8.   We recommend FAA management disable unneeded network services\n     where it is determined they are unnecessary or do not serve a valid business\n     purpose.\n\nCommunications system weaknesses\n\n9.   Upgrade the communications operating system to a supported version.\n10. Require passwords meet complexity requirements in accordance with\n    DOT/FAA policies.\n\x0c"